Efficiently implementable codes for quantum key expansion 
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The Shor-Preskill proof of the security of the BB84 quantum key distribution protocol relies on 
the theoretical existence of good classical error-correcting codes with the "dual-containing" property. 
A practical implementation of BB84 thus requires explicit and efficiently decodable constructions 
of such codes, which are not known. On the other hand, modern coding theory abounds with non- 
dual-containing codes with excellent performance and efficient decoding algorithms. We show that 
the dual-containing constraint can be lifted at a small price: instead of a key distribution protocol, 
an efficiently implementable key expansion protocol is obtained, capable of increasing the size of a 
pre-shared key by a constant factor. 



Quantum key distribution (QKD) allows two distant 
parties Alice and Bob to establish a secret key using one- 
way quantum communication and public classical com- 
munication. This key is provably secure from an all- 
powerful eavesdropper Eve, who is allowed to intercept 
the quantum communication, perform block processing 
of quantum data, and listen to the public discussion. In 
contrast, key distribution by public communication alone 
is impossible. QKD owes its security to two facts: 1) Al- 
ice and Bob, by performing tomography on their (quan- 
tum) data, automatically obtain information about Eve's 
(quantum) data; 2) with this knowledge Alice and Bob 
can perform information reconciliation (IR) and privacy 
amplification (PA) to distill a key which is common to 
both (by IR), and about which Eve knows next to nothing 
(by PA). In this Letter we solve the practical question of 
constructing efficiently implementable codes for IR and 
PA. 

The best known QKD protocol, BB84, was proposed 
by Bennett and Brassard in [l|. BB84 is a simple 
"prepare-and-measure" protocol which can be imple- 
mented without a quantum computer or quantum mem- 
ory. Alice encodes a random bit either in the Z basis 
{|0>, |1» or X basis {|+>, |-» [here |±) = ^(|0) ± |1»] 
of a qubit system, and sends it to Bob. Bob performs 
a measurement in one of the two bases, chosen at ran- 
dom. After repeating this many times, they determine 
by public discussion which bits they chose the same basis 
for, thus establishing a raw key. They perform channel 
estimation on a small fraction of the raw key bits. If the 
channel is too noisy, they abort the protocol. Otherwise 
they perform IR and PA on the remaining raw key bits 
to obtain the final secret key. 

Shor and Preskill Q gave the first simple proof of the 
security of standard BB84, by relating the IR and PA 
steps to Calderbank-Shor-Steane (CSS) quantum error 
correcting codes. A CSS code protects m qubits from 
errors by "rotating" them into a 2 m dimensional subspace 
of an n qubit system. This subspace is the simultaneous 



eigenspace of "stabilizer" operators of the form 
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Here Z and X are Pauli matrices, and h = h(l) . . . h(n) 
and g = g{\) . . . g(n) are binary vectors of length n. The 
vectors h are g are chosen to be rows of the classical "par- 
ity check" matrices Hi and H2, respectively. To ensure 
that the stabilizer operators commute, H\ and Hi must 
be mutually orthogonal: H\H^ = 0. This condition is 
equivalent to saying that the codes corresponding to Hi 
and H 2 contain each other's duals. Let the (n — x n 
parity check matrix Hi correspond to an [n,ki,d] clas- 
sical error correcting code which encodes fcj bits into n 
bits and corrects errors on any t = (d — l)/2 bits. Then 
m = k\ + k% — ti and the CSS code corrects quantum 
errors on any t qubits. 

In order to securely implement the BB84 protocol we 
need to find good mutually dual containing codes of large 
blocklength n. These are known to exist in principle, by 
the Gilbert- Varshamov bound for CSS codes *s|. Unfor- 
tunately, no explicit constructions are known, let alone 
ones that would be simple to decode. Our main result 
is that the dual-containing condition may be lifted. This 
permits us to employ excellent efficiently decodable mod- 
ern classical codes such as LDPC Q and turbo codes [f|. 
The price we have to pay is that our protocol performs ex- 
pansion of a pre-shared key rather than creating one from 
scratch. This is not much of a drawback, as existing QKD 
protocols require a logarithmic amount of pre-shared key 
to authenticate the public discussion. Still we choose to 
make this distinction, as in our case the pre-shared key 
is linear in the quantum communication cost. Our con- 
struction is closely related to the entanglement-assisted 
quantum codes of Brun, Devetak and Hsieh which 
generalize stabilizer codes to the communication setting 
where the sender and receiver have access to pre-shared 
entanglement. 

First we consider an idealized setting in which the 
eavesdropper is known to have introduced errors on no 



2 



li-k. 



n-k 2 




X 



FIG. 1: The construction of the full rank matrices Ny and 
N 2 . 



more than a fixed fraction of the qubits. In other 
words, the channel estimation is assumed to have been 
successfully performed. We show how to construct an 
[n, m — c,d; c] quantum key expansion (QKE) protocol, 
which expands the key from c to m bits if at most 
t = (d — l)/2 out of n qubits have become corrupted. 
Then we invoke standard results @, 0, @] to incorporate 
the channel estimation phase. 

Let Hi (i — 1, 2) be the parity check matrix for a clas- 
sical [n, ki,d] code Cj C Z 2 > so that the rows of Hi form 
a basis for . Consider the {n — k\) x (n — fcg) matrix 
M = HyH 2 ■ In general M ^ and it can be row and 
column reduced (i.e. multiplied from the left and right 
by non-singular transformation matrices Ty and T 2 ) to 
a matrix of the form 



TiMT 2 T 




where n — ky 



J\J 2 , 



l\ and n — k 2 = c + ^2 and 




This is the well known Gaussian elimination procedure. 
Letting Hi = T t Hi be an equivalent parity matrix for the 
code Ci, we have HyH 2 = JiJ 2 ■ Hence H[H 2 T = 0, 
where the (n — ki) x (n + c) "augmented" parity check 
matrices H[ (cf. @) are given by H[ — (Hi Jj). Note 
that i?] can be viewed as the parity check matrix of a 
classical code C[ by defining the row space of H[ to be 
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C Cn. The set of errors 



H- can correct is the same as the set of errors Hi can 
correct, assuming that the last c bits are error free. Thus 
H- can correct the error set S(n, c, d) defined as the set 
of binary row vectors of dimension n + c with < (d— l)/2 
ones among the first n bits, and zeros elsewhere. 

To relate the error correcting properties of these classi- 
cal codes to those of the corresponding CSS codes, we find 
it useful to extend the parity check matrices H[ and H' 2 
to full rank matrices as shown in Figure 1. Starting with 
H[, whose rows are a basis for C-y, add m = ki+k2+c—n 
independent row vectors (comprising the matrix E\) such 




that the rows of H[ and E\ together form a basis for 
G'2 5 C\ . Collect the remaining n — ki independent 
vectors in the matrix F\ . The (n + c) x (n + c) matrix 



Ni 



has full rank, and hence so does NiN-f . By Gaus- 
sian elimination, there exists a matrix T such that 
N X N^T T = I. Decompose N 2 = TNi into three seg- 
ments just like Ny: 



N 9 



The condition A^iA^ 2 T = / is now written as 




H[Fi = I, H'yEl = Q, H'yH^ = 0, 

EyF? = 0, 
FyFl 



EyEj — I, 



EyHl = 0, 



(1) 



0, FyE\ = 0, FyHl = I 



Hence the rows of Hi form a basis for C 2 ± - With an 
appropriate redefinition of Fy we can identify H 2 with 
H 2 . H' 2 and E 2 together form a basis for C[ 3 C 2 ^~ . 

An error set £ y C X 2 +c correctable by the code H[ is 
of the form 



£1 = {bF 2 + 0(b)E 2 + l3\b)H' 2 : b G Zj - * 1 }, 



where (3 : Z 



n — ki 



Z 2 n and P' : Z 2 ~ kl 
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known functions. Thus [3(b) is a row vector of dimension 
m and (3(b) E 2 is an element of the row space of E 2 . b is 
called the error syndrome since it uniquely specifies the 
error. For an error u £ £y, by ([T]), the error syndrome is 
calculated as b = H'yU T . Since Hy is an [n,ky,d] code, 
S(n, c, d) C £y. 

Similarly, an error set £ 2 C Z 2 +c correctable by the 
code H 2 is of the form 

£2 = {pFy + a(p)Ey + a'(p)H'y : p e Z^" fe }, 



where a : Z 2 ~ k2 



II? and a' 



I'; 



z 



n — k\ 



Since H 2 is an [n, fe, rf] code, 



are known functions 
S(n, c, d) C\ £ 2 . 

In the Shor-Preskill proof [2j a QKD protocol was ob- 
tained by modifying an entanglement distillation proto- 
col. Our starting point is an entanglement assisted en- 
tanglement distillation (EAED) protocol. Alice and Bob 
initially share the state |$)® c , where 

i$)^ = i=(io)>) B +iini) B ) 

is the ebit state. 
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Their goal is to distill a total of m ebits. The resources 
at their disposal are classical communication and a noisy 
71-qubit channel, which introduces errors on at most t 
out of n qubits. At the beginning of the protocol, Alice 
creates another n ebit states locally and sends the B part 
of them through the noisy channel to Bob. An operator 
written as U <8 V means that U acts on "subsystem A" , 
the n + c qubits that stay with Alice, and V acts on 
"subsystem B" , the n + c qubits which end up in Bob's 
possession. We will describe the noise more generally 
as acting on the latter n + c qubits (even though only 
the first n of these are affected): let Q(n,c,d) be the 
set of error operators of the form I ® (X hl Z h2 ) where 
hi,h 2 € S(n, c, d). The A-type errors are called bit errors 
and the Z-type errors are called phase errors. Because 
S(n, c, d) C ^ fl ^, every element of Q(n, c, d) is of the 
form 

for some p 6 Z£ -fcl , b € Z£~ fc2 . 

Our EAED protocol comprises the following steps: 

1. The initial state is |$)®"+ c . The first n ebits 
are held entirely by Alice, and the last c are 
shared between Alice and Bob. Denote by the 
[(n + c)-dimcnsional] all-zero vector. The state 
|$)®™+ c is the simultaneous (— eigenstate of 
{Z In + c <g Z In +<=, A 7 ™+ c <g X In + c }. By this we mean 
that it is the (-1)° = 1 eigenstate of Z e ® Z e for 
each row e of the (n + c) x (n + c) identity matrix 
7 n+c . As the matrices N\ and N% are full rank, this 
state is equivalently described as the simultaneous 
(_l)(o,0;0,o;0,o) eigenstate of the operators 

Z El ®Z El ,X E2 ®X E2 ; (3) 
Z Fl ® Z Fl ,I if ^I ff i}. 

In other words, it is the (—1)° eigenstate of Z hl eg) 
Z' 11 for each row /ii of H[, etc. 

2. An error in Q(n,c,d) of the form |J2J) oc- 
curs. The new state is the simultaneous 
(•_ 1 )(6,«'(p);/3(6),a(p);/3'(6), P ) eigenstate of the opera- 
tors in © • This is easily seen from the relations (JTJ 
and the fact that acting with (7 eg) A 3 ) on a eigen- 
state of (Z^ 1 Cg> Z' 1 ) with eigenvalue (— l) a , changes 
the eigenvalue to (— \} a +ah [and similarly with X 
and Z interchanged]. 

3. In order to find out the error syndromes b and 
p, Alice and Bob should measure the commuting 
operators {Z H 'i eg) Z H '^,X H ' 2 eg) A 772 }. However, 
this would require a non-local measurement. Since 
Z h ®Z h = (Z h ®I){I®Z h ), Alice and Bob can effec- 
tively measure Z h ® Z h by Alice measuring Z h ® I, 



Bob measuring l®Z h and multiplying the measure- 
ment outcomes. Thus, Alice measures Z Hl ® 7 and 
A^ 2 ® 7, obtaining b 1 and p', and Bob measures 
I ® and 7 ® A ff 2 ; obtaining 6" and p". Al- 
ice sends Bob her measurement outcomes and Bob 
computes p = p' + p" and b = b' + b" . 

4. Bob performs the correction operation 7 ® 
^ za (p)E 1 x 0{b)Eo_y AHce and Bob are left with 

the simultaneous (— 1)(°>°) eigenstate of {Z El ® 
Z El ,X E2 ® A^ 2 }. They can transform this state 
by local unitaries into |$)® m . 

This EAED protocol is readily made into an 
entanglement-assisted secret key distillation protocol. 
Starting with the distilled state |$)® m , Alice measures 
Z Im eg) 7 and Bob measures 7 ® Z 7 "* to obtain a common 
key k G Z™. The key is decoupled from the rest of the 
world, and hence Eve, because |$)® m is a pure state. 

We proceed to simplify this key distillation protocol. 
Instead of transforming into |$)® m in step 4, and mea- 
suring {Z Im (g) 7, 7(g) Z Im }, it suffices to measure Z El (g 7 
and 7(g Z Bl to obtain k directly. In step 4, Bob need not 
perform the phase error part I®Z a ^ El of the correction 
operation; this commutes with the Z El ® 7 and 7 (g Z Bl 
operators, and hence does not affect the measured key 
value k. Thus measuring X 1 * 2 <g 7 and 7(g A^ 2 in step 3 
is also unnecessary. Bob performing the bit error correc- 
tion 7 ®X^ E2 , followed by measuring 7 <g Z El to get 
k, is equivalent to just measuring 7 <g Z £l to get k' and 
computing k — k' + (3(b). 

The new key distillation protocol consists of steps 1 
and 2, followed by: 

3. Alice measures Z Hl <g7, obtaining b', and Bob mea- 
sures 7(g Z !, obtaining 6". Alice sends 6' to Bob. 

4. Alice measures Z El <g 7, obtaining k, and Bob 
measures 7 <g Z £l , obtaining fc'. Bob computes 
k = k' + P(b' + b"). 

The above protocol requires multi-qubit operations 
and pre-shared entanglement. We will now reduce it to 
single-qubit operations and replace the entanglement by 
a pre-shared secret key. 

As they commute with all the other steps, Alice may 
perform her Z H ^ <g 7 and Z El (g 7 measurements before 
step 2. For the same reason she can measure Z Fl (g 7 
at the same time. Together, these three measurements 
are equivalent to Alice measuring the Z operator of each 
individual qubit, obtaining a string u S 1H 1 JrC . Then 
b' = H[u T and k = E x u T . 

Bob can measure 7(gZ Fl at the end of the protocol, as 
it commutes with 7 <g Z Hl and 7 (g Z El . Together, these 
three measurements are equivalent to Bob measuring the 
Z operator of each individual qubit. The measurement 
result v S Z 2 1+c is used to compute b" = H[v T and k' = 
E lV T . 
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Because Bob has the last c qubits from the beginning 
(equivalently, the noise acts as the identity on them), he 
can measure them at the same time as Alice. Alice and 
Bob performing local Z measurements on the last c ebits 
is as if they shared a secret key k of length c bits to 
start with. Alice measuring half of an ebit in the 
Z basis and sending the other half through the channel 
is equivalent to her preparing |0) or |1) at random and 
sending it through the channel. This leaves us with the 
[n, k\ + k% — n, d; c] QKE protocol below. 

1. Alice and Bob share a secret key k of length c bits. 
Alice generates a random n bit string r. Together 
they form the n + c bit string u = (r, n). Alice 
computes b' = H[u T and k = Eiu T . 

2. Alice prepares the product state |r) in her lab and 
sends it over the noisy channel. 

3. Bob receives the corrupted n qubit state. He mea- 
sures each qubit in the Z basis, obtaining a string 
r', which together with Bob's copy of the initial se- 
cret key k forms the n + c bit string v — (r 1 ,k). 
Bob computes b" = H[v T and k' = E\v T . 

4. Alice sends b' to Bob. Bob computes k = k'+(3(b' + 
b"). 

The above QKE protocol deals with the unrealistic sit- 
uation in which Eve is known to have introduced no more 
than t errors. To deal with the most general eavesdrop- 
ping attack, the so-called coherent attack, Alice and Bob 
need to be able to estimate the effective channel intro- 
duced by Eve. It was shown in [8[ that there is no loss of 
generality in assuming that Eve effects a Pauli channel, 
i.e. one that applies elements of the Pauli group chosen 
with particular probabilities. However, preparing and 
measuring only in the Z basis is insufficient to estimate 
the channel; for instance, phase errors pass undetected. 
The BB84 protocol circumvents this problem by prepar- 
ing and measuring in both the Z and X bases. Alice 
will have to send a total of (2 + 3S)n qubits: the factor 
of 2 comes from number of different bases used and a 
small fraction Sn is reserved for channel estimation. The 
details of the protocol follow: 

1. Alice creates (2 + 38)n random bits. 

2. Alice chooses a random (2 + 3<5)n-bit string a, which 
determines whether the corresponding bit of r is to be 
prepared in the Z (if the corresponding bit of a is 0) or 
X basis (if the bit of a is 1). 

3. Alice sends the qubits to Bob. 

4. Bob receives the (2 + 3<5)n qubits and measures each 
in the Z or X basis at random. 

5. Alice announces a. 

6. Bob discards any results where he measured a differ- 
ent basis than Alice prepared in. With high probability, 



there are at least (1 + S)n bits left (if not, abort the pro- 
tocol). Alice randomly chooses a set of n bits to be her 
string r, and Bob's corresponding bits comprise r'. The 
remaining nS bits are used for channel estimation. 

7. Alice and Bob publicly announce the values of their 
channel estimation bits. If the estimated channel intro- 
duces more than t errors, they abort the protocol. 

8. Alice computes b' = W 1 u F and k = Eiu T , where 
u = (r, k). Alice announces V . 

9. Bob computes b" = H[v T and k' = Eiv T , where 
V = (r 1 , ft). Bob's estimate of the key k is k' + j3(b' + b"). 

Observe that if the protocol fails at any point, the pre- 
shared key k remains uncompromised. Since the protocol 
was obtained from an entanglement distillation protocol, 
it is also universally composable 

As in 0, HI) we can go beyond fixed-distance codes, 
and instead use codes which merely perform well on i.i.d. 
(independent, identically distributed) channels. This is 
achieved by Alice performing a random permutation on 
her bits, and announcing it to Bob in step 5, thus sym- 
metrizing the noisy channel induced by Eve's actions. If 
Alice and Bob estimate a rate q of X and Z errors, it 
suffices for G\ and Ci to perform well on a binary sym- 
metric channel (BSC) with error parameter slightly above 
q [1] . Modern classical codes such as turbo codes 0] and 
LDPC codes Q can essentially achieve the Shannon ca- 
pacity 1 — H{q) on a BSC. Moreover, these codes are 
(suboptimally) decodable in polynomial time. This gives 
a key rate of (m - c)/n » 2(1 - H{q)) -1 = 1- 2H(q), 
which hits for q = 0.11. Thus, with a QKE protocol 
based on modern codes we can tolerate the Shor-Preskill 
bound q = 0.11 in practice. 

At present there is a large gap between abstract se- 
curity proofs of QKD, which rely on the theoretical ex- 
istence of certain codes, and experimental implementa- 
tions, which use PA and IR codes chosen ad hoc and are 
thus not proven to be secure. Our result bridges this 
gap: it makes accessible the example of modern turbo 
and LDPC codes which are readily available, easy to en- 
code and decode, yet provide a basis for unconditionally 
secure key distribution protocols. The performance of 
specific modern codes is currently under investigation. 

We thank Graeme Smith and Todd Brun for useful 
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Career grant no. 0545845. 
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